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Abstract — In this work we study the problem of misbehavior 
detection in wireless networks. A commonly adopted approach 
is to utilize the broadcasting nature of the wireless medium and 
have nodes monitor their neighborhood. We call such nodes 
the Watchdogs. In this paper, we first show that even if a 
watchdog can overhear all packet transmissions of a flow, any 
linear operation of the overheard packets can not eliminate miss- 
detection and is inefficient in terms of bandwidth. We propose 
a lightweigh misbehavior detection scheme which integrates the 
idea of watchdogs and error detection coding. We show that 
even if the watchdog can only observe a fraction of packets, by 
choosing the encoder properly, an attacker will be detected with 
high probability while achieving throughput arbitrarily close to 
optimal. Such properties reduce the incentive for the attacker to 
attack. 

I. Introduction 

In wireless ad hoc and sensor networks, paths between a 
source and destination are usually multihop, and data packets 
are relayed in several wireless hops from their source to their 
destination. This multihop nature makes the wireless networks 
subject to tampering attack: a compromised/misbehaving node 
can easily ruin data communications along the paths it is on 
by dropping or corrupting packets it should forward. 

Watchdog mechanism proposed in [1] is a monitoring 
method used for ad hoc and sensor networks, and it is the base 
of many misbehavior detection algorithms and trust or repu- 
tation systems. The basic idea of watchdog is that watchdog 
node monitors whether its neighbor forwards the packets by 
overhearing. If the packet is not forwarded within a certain 
period or is forward but altered, the neighbor is regarded 
as misbehaving in this transaction. When the misbehaving 
rate surpasses certain threshold, the source is notified and 
subsequent packets will be forwarded along other routes. 

The main challenge for most watchdog mechanisms is 
the unreliable wireless enviorment. Due to possible reasons 
such as channel fading, collision with other transmission, or 
interference, even when the source node and the attacker are 
both within communication range, the watchdog may not be 
able to overhear every transmission and therefore is unable to 
determine whether there is an attack. 

To mitigate the misbehavior of the maUcious nodes, a 
watchdog mechanism must achieve the following two goals: 
(1) A malicious node should be detected with high probability 
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if it attacks. (2) The throughput under the detection mechanism 
should be comparable to the throughput without detection if 
there is no attack. These two goals seem to have conflict in 
interest. On one hand, to improve the probability of detection, 
we need to introduce more redendancy. On the other hand, 
better throughput requires redendancy to be reduced. 

In this paper, we show that both goals can be achieved 
simultaneously by introducing error detection block coding 
to the watchdog mechanism. This scheme is computationally 
simple, yet efficient. The watchdog only need to perform a 
compare operation. And by choosing the encoder properly, 
the probability of miss-detection can be made arbitrarily small 
while the throughput approaches optimal, even in the case 
when the attacker knows what encoder is being used and the 
watchdog can only overhear a fraction of the packets. 

The remainder of the paper is organized as follows. Sec- 
tion HI] discusses related work. Section HU] proves any linear 
operation is inefficient in misbehavior detection. Section |IV] 
and [V] discribe and analyse our watchdog scheme with error 
detection codes. Finally, Section IVIll concludes the paper. 

II. Related Works 

To ensure the reliability of packet delivery, trust for ad 
hoc and sensor networks has been investigated in a lot of 
literatures. The foundation of such dynamic trust system is 
the node behavior monitoring mechanism. The most frequently 
used one is the watchdog mechanism proposed in [1] and its 
variations. 

The main idea of watchdog in [1] was overhearing. When 
a node sends a packet to its neighbor, it also cached it locally. 
Then the node listens to its neighbor's communication. If the 
neighbor does not forward the same packet to its next-hop 
node within a short period, it is regarded as misbehaving. 
By this way, a node can record the successful and failed 
forwarding history of its next-hop. 

On the basis of watchdog, various misbehavior judging and 
handling mechanisms are proposed. [1] judges a node to be 
misbehaving when failure tally exceeds a certain threshold and 
it sends a packet backward to notify the source. Then the 
source would choose a new route free of misbehaving node 
with the aid of "pathrater". 

[2] proposes to measure the next-hop's behavior with the 
local evaluation record which is defined as a 2-tuple: packet 
ratio and byte ratio, forwarded by the next-hop neighbor. Local 
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Fig. 1 . Single Flow. An'ows (in or out) connected to the same node interfere 
with each other. The dash lines represent broadcast channels. 



evaluation records are broadcast to all neighbors. The trust 
level of a node is the combination of its local observation 
and the broadcasted information. Trust level is inserted to 
the RREQ. Route is selected in the similar way to AODV 
[3]. Although many ad hoc trust or reputation systems [4], 
[5] and [6] adopt different trust level calculation mechanism, 
the basic processes are similar to [2], including monitoring, 
broadcasting local observation, combing the direct and indirect 
information into the final trust level. 

Recently, the security issue in network coding systems has 
drawn much attention. Due to the mixing nature of network 
coding, such systems are subjects to a severe security threat, 
known as a pollution attack, where attackers inject corrupted 
packets into the network. 

Several solutions to address pollution attacks in intra-flow 
coding systems use special-crafted digital signatures [7], [8], 
[9], [10] or hash functions [11], [12], which have homomor- 
phic properties that allow intermediate nodes to verify the 
integrity of combined packets. Non-cryptographic solutions 
have also been proposed [13], [14]. [15] proposes two practical 
schemes to address pollution attacks against network coding 
in wireless mesh networks without requireing complex cryp- 
tographic functions and incure little overhead. 

Most of the existing network coding scheme relies on 
random linear combination of data packets. And as we show 
in Section HUl any linear operation cannot eliminate miss- 
detection even if all transmissions are reliable. 

III. Limitation of Linear Coding 

In this section, we point out the limitation for linear coding 
in attack detection and show the advantage of non-linear 
coding. Let's consider the following example as in FiglT] There 
are 4 nodes in this case: the source node S, destination node 
D, attacker A, and the watchdog node W. Transmissions are 
represented by arrows. Arrows (in or out) connected to the 
same node interfere with each other and cannot be schedule 
simultaneously. The dash lines represent broadcast channels. 

Each packet consists of n symbols from the finite fiele Fg. 
When S (A) sends a packets, it will be received by A and 
W (D and W). S wants to transmit data packets to D through 
A. We want any tampering by A to be detected by D. We 
assume all links are reliable, have the same transmission rate 
1 symbol per unit time. We also assume an optimal centralized 
schedule is enforced. Under such assuptions, the watchdog W 



is able to monitor every packet and send m checking symbols 
to D. The m checking symbols is a funtion of p and p' , 
vector representation of the original packet sent by S and the 
corresponding copy forwarded hy A: w — F{p,p'). Under 
such assumptions the throughput is 



T = 



2n + m 



{symbols /unit time). 



(1) 



For the case of linear coding, we assume F satisfies the 
following properties: 

i^(0,0)=0 (2) 

F{a,b) + F{c,d) ^ F{a + c,b + d) (3) 

F{ja,0)^jF{a,0) (4) 

F(0,7a) = 7F(0,a). (5) 

Node D will miss an attacked packet if F{p' ,p') = w. Denote 
p' =p + e, 

F{p',p')=F{p,p') (6) 

^F(p + e,p + e)=F(p,p + e) (7) 

^F{p,p)+F{e,e)^ p) + F(0, e) (8) 

^i^^(e,e)=F(0,e) (9) 

^F(e,0) = 0. (10) 

It is easy to show that F{e, 0) is a linear function of e and 
can be expressed by a m x n matrix M in the finite field F^, 
and 



F{e, 0) = Me. 



(11) 



If A chooses e from the null space of M, Null{M), F(e,0) 
will be and D will consider the packet safe. Suppose A has 
no knowledge of F, the best it can do is to pick a random e. 
Then the probability of miss an attack equals to the probability 
of picking e from the qRo-nk{Nuii(M)) _ ^ ^on-zero vectors of 
Null{M) out of — 1 non-zero vectors in the n dimension 
space. Since n — m < Rank{Null{M)) < n, we have the 
following bounds of the probability of miss-detection for any 
hnear coding scheme 



2" - 1 



_ miss — 



2" - 1 



1 



< P < 1 

_ miss — ■ 



(12) 



So to achieve a target probability of miss-detection 9, W 
has to send at least m > \— log2 0~\ checking symbols to 
D for every packet. On other hand, if we allow F to be 
nonlinear, only one symbol is enough to eliminate miss- 
detection completely. This can be easily done by setting 
F{P:P') = l{p=j,'}, which equals to 1 if p = p' and 
otherwise. 

Here we want to point out the same result also applies to 
linear network coding. The proof is similar by considering p 
as a generation of n coded packets and the watchdog sends m 
linear conbinations of the packets it overhears to the receiver 
for verification. 
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IV. Single Flow Case 

Here we consider the same example in Section |III] The 
watchdog W will compare packets that it overhears from both 
S and A, and will report an attack if they do not match. But 
we assume the watchdog W can detect tampering by A with 
probability q. In this case, W may not always be able to detect 
an attack. To enhance security, S encodes every k packets into 
a block of n coded packets with a (n,k) error detection code. 
We further assume the attacker knows what encoder is being 
used but does not know which packets W is able to overhear 

We assume MDS (maximum distance separable) codes are 
being used. With a (n,k) MDS code, an attack will always be 
detected as long as no more than n — k packets are altered. As 
a result, A has to alter at least n~k+\ packets in a block in 
order to avoid being detected by the decoder And since the 
more packets A attacks the easier it will be caught by W, it is 
of A's interest to just attack the minimum number of packets 
per block: n — k + 1. In this case, it is easy to show that the 
probobility of A not being caught is 



,{n,k,q)^{l-qr- 



(13) 



We are interested in the highest coding rates we can achieve 
such that A has no incentive to attack. We construct a (n,k) 
encoder such that 



k = 



1 - 



f{n,q) 



From EqlT3]we have 



(14) 



(15) 



We can then choose the function /(n, q) appropriately so that 
we can make Pmiss arbitrarily small. For example, by making 
f{n, q) = /31nn for any positive constant /3, we have 



Prmss{n,k,q) < e 



- /3 In n 



(16) 



So we can reduce the incentive for A to attack by making the 
block longer. And the coding rate becomes 




0.1 0.2 0.3 0.4 0.5 0.6 0.7 

Overhear probability q 



Fig. 2. Miss detection probability v.s. observe probability in the single flow 
example. 
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Fig. 3. Miss detection probability with k = n + 1 — ^ " in the single 
flow example. 
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Since the delay to verify a block equals to the time it takes 
to transmit n packets in the block, tradeoff between probability 
of miss-detection and n we plot in Figure |2] and Figure [3] is 
also the tradeoff between miss-detection and delay. We assume 
that for the n plotted in the figures, a suitable MDS (n,k) code 
exists for the block. We can see that by integrating a watchdog 
and error detection coding, we can reduce the incentive for the 
attacker to attack by allowing longer delay. 

Notice that by making n large, the coding/decoding com- 
plexity increases. In the case complexity is a concern, the 
source can scramble coded packets of multiple (n, fc) encoded 



blocks and transmit these packets in a random order. By doing 
so, the attacker will have to corrupt more packets in order to 
destroy a particular block, which makes it easier to be detected 
by the watchdog. 

V. Two Flows Case 

In the previous section, we assume the watchdog W can 
only compare a packet with probability q. Possible reasons 
for making this assuption are: a watchdong node may be 
intentionally turned off occasionally in order to save power, 
or interference from other nodes in the network makes the 
watchdog can observe only a fraction of the packets. In this 
section, we will look into the latter case. Since the level 
of intereference is highly correlated to the traffic load in 
the system, we will mainly focus on the trade-off between 
throughput and security. 



Fig. 4. Two Flows 
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Fig. 5. Miss detection probability v.s. channel access probability with k ■ 



Consider the following example. There are two flows in 
the system: Sl-A-Dl and S2-B-D2. These flows are far 
away from each other so there is no inter-flow interference. 
But the watchdog W is sitting between the flows and can 
overhear transmissions on all the four links. So even though a 
transmission is successful along its path, it may collide with 
transmissions along the other flow at W. Suppose A is the 
attacker, we want to know the probability q in this case. 
For traffic pattern, we assume a slotted aloha with access 
probability a. To simplify the analysis, we further assume a 
node will access the channel by transmitting dummy packets 
when it has no data packet to send. Under these assumptions, 
we can compute the throughput and observe probability as 



T = a{l — a 
q={l- a)' 



(18) 
(19) 



The exponent in EqlT9]is 5 because given that the transmission 
from SI to A is successful, W can overhear it if neither S2 nor 
B transmit which occurs with probability (1 — a)^. To compare 
this packet, W should overhear the transmission from A to Dl 
too, which happens with probability (1 — a)"^ for SI, S2 and 
B to remain siilent. 

Similar to the one-flow example, we can make Pmiss 
arbitrarily small by choosing 



k = 



1 - 



(1 



(20) 



And the effective throughput is 

Te = TR 



/, 1, a/3 Inn 

:a(l-a)(l + -)- 

n (1 — ayn 



(21) 



In Figure |5] and Figure |6] we plot the miss-detection proba- 
bility and effective throughput when the error detection code 
is chosen according to Eq. |20] We only plot the result for 
a < 0.5 because further increasing a will only reduce the 
throughput. We can see from Figure |5] the probability of miss- 
detection increases as the a increases and converges to roughly 
n^^. Since the higher a is, the fewer packets the watchdog 



code is available 



in the two flows example. Where the curves stop means no 
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Fig. 6. Effective throughput v.s. channel access probability k = n + 1 
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in the two flows example. Where the curves stop means no code is 



can observe, the source has to sacrify coding rate in order 
to maintain a certain probability of missing an attack as a 
increases. As it is shown in Figure |6] as a increases, the 
effective throughput increases up to a certain level then drops 
to zero as a gets larger 

We show the performance of some (2™ — 1, 2™ — m — 1) 
Hamming codes in Figure [T] and Figure [8] In the case we can- 
not adapt the encoder to channel access probability, although 
there is no guarantee for miss-detection probability, a longer 
code always performs better in terms of both miss-detection 
probability and effective throughput. But such improvement 
comes with the cost of additional delay. 

VI. Discussion 

In the previous sections, we have studied the case when the 
watchdog node is trustworthy. But in reality, it is also possible 
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Fig. 7. Miss detection probability v.s. channel access probability for some 
Hamming codes. 
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Fig. 8. Effective throughput v.s. channel access probability for some 
Hamming codes. 

that the watchdog misbehaves. We admit that our scheme may 
fail detecting an attack both the watchdog and the forwarder 
can be mahcious. In this case the relay node can alter the 
packets as much as possible without being detected as long as 
the faulty watchdog never declares an attack. However, in the 
case of single failure (at most one of the two nodes - forward 
or watchdog - is faulty), if the watchdog is faulty, the only 
way for it to attack the system is to accuse the relay node of 
attacking; and if the watchdog is well-behaving, it will declare 
an attack if and only if the relay node alters the packets. So 
under the assumption of single failure, we can be sure that 
either the watchdog or the relay is malicious. However, our 
scheme still cannot determine which node is misbehaving. To 
break the tie, the relay may have to be monitored by more 
than one watchdog and have a higher connectivity requirement. 
This is one of the potential directions, and we are currently 
working on it. 



VII. Conclusion 

In this work we study the problem of misbehavior detection 
in wireless networks. We first show that even if a watchdog 
can overhear all packet transmissions of a flow, any linear 
operation of the overheard packets can not eliminate miss- 
detection and is inefficient in terms of bandwidth. We propose 
a lightweigh misbehavior detection scheme which integrates 
the idea of watchdogs and error detection coding. We show 
that even if the watchdog can only observe a fraction of 
packets, by choosing the encoder properly, an attacker will 
be detected with high probability while achieving throughput 
arbitrarily close to optimal. 
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